Debian Security Advisory

DLA-691-1 libxml2 -- LTS security update

Date Reported:
31 Oct 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-4658, CVE-2016-5131.
More information:
  • CVE-2016-4658

    Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges.

  • CVE-2016-5131

    The old code would invoke the broken xmlXPtrRangeToFunction. range-to isn't really a function but a special kind of location step. Remove this function and always handle range-to in the XPath code. The old xmlXPtrRangeToFunction could also be abused to trigger a use-after-free error with the potential for remote code execution.

For Debian 7 Wheezy, these problems have been fixed in version 2.8.0+dfsg1-7+wheezy7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: